lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 Dec 2010 18:24:55 -0600
From: Raphael Geissert <>
Subject: [SECURITY] [DSA-2136-1] New tor packages fix potential code execution

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2136-1                                 Raphael Geissert
December 21, 2010           
- ------------------------------------------------------------------------

Package        : tor
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2010-1676

Willem Pinckaers discovered that Tor, a tool to enable online anonymity,
does not correctly handle all data read from the network.  By supplying
specially crafted packets a remote attacker can cause Tor to overflow its
heap, crashing the process. Arbitrary code execution has not been
confirmed but there is a potential risk.

In the stable distribution (lenny), this update also includes an update of
the IP address for the Tor directory authority gabelmoo and addresses
a weakness in the package's postinst maintainer script.

For the stable distribution (lenny) this problem has been fixed in

For the testing distribution (squeeze) and the unstable distribution (sid),
this problem has been fixed in version

We recommend that you upgrade your tor packages.

Upgrade instructions
- --------------------

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.4.10 (GNU/Linux)


Powered by blists - more mailing lists